File: //usr/share/shorewall/configfiles/stoppedrules.annotated
#
# Shorewall -- /etc/shorewall/stoppedrules
#
# For information about entries in this file, type "man shorewall-stoppedrules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
#
# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
#
###############################################################################
#
# This file is used to define the hosts that are accessible when the firewall is
# stopped or is being stopped.
#
# Warning
#
# Changes to this file do not take effect until after the next shorewall start,
# shorewall reload, shorewall restart, or shorewall compile command.
#
# The columns in the file are as follows (where the column name is followed by a
# different name in parentheses, the different name is used in the alternate
# specification syntax).
#
# ACTION - ACCEPT|NOTRACK|DROP
#
# Determines the disposition of the packet.
#
# ACCEPT means that the packet will be accepted.
#
# NOTRACK indicates that no conntrack entry should be created for the packet.
# NOTRACK does not imply ACCEPT.
#
# DROP was added in Shorewall 4.6.0 and causes the packet to be dropped in
# the raw table's PREROUTING chain.
#
# SOURCE - [-|[$FW|interface]|[{$FW|interface}[:address[,address]...]]|[address[,
# address]...]
#
# $FW matches packets originating on the firewall itself, while interface
# specifies packets arriving on the named interface.
#
# This column may also include a comma-separated list of IP/subnet addresses.
# If your kernel and iptables include iprange match support, IP address
# ranges are also allowed. Ipsets and exclusion are also supported. When $FW
# or interface are specified, the list must be preceded by a colon (":").
#
# If left empty or supplied as "-", 0.0.0.0/0 is assumed.
#
# DEST - [-|[$FW|interface]|[{$FW|interface}[:address[,address]...]]|[address[,
# address]...]
#
# $FW matches packets addressed the firewall itself, while interface
# specifies packets arriving on the named interface. Neither may be specified
# if the target is NOTRACK or DROP.
#
# This column may also include a comma-separated list of IP/subnet addresses.
# If your kernel and iptables include iprange match support, IP address
# ranges are also allowed. Ipsets and exclusion are also supported. When $FW
# or interface are specified, the list must be preceded by a colon (":").
#
# If left empty or supplied as "-", 0.0.0.0/0 is assumed.
#
# PROTO (Optional) ‒ protocol-name-or-number[,...]
#
# Protocol.
#
# Beginning with Shorewall 4.5.12, this column can accept a comma-separated
# list of protocols.
#
# DPORT ‒ service-name/port-number-list
#
# Optional. A comma-separated list of port numbers and/or service names from
# /etc/services. May also include port ranges of the form low-port:high-port
# if your kernel and iptables include port range support.
#
# This column was formerly labelled DEST PORT(S).
#
# SPORT ‒ service-name/port-number-list
#
# Optional. A comma-separated list of port numbers and/or service names from
# /etc/services. May also include port ranges of the form low-port:high-port
# if your kernel and iptables include port range support.
#
# Beginning with Shorewall 4.5.15, you may place '=' in this column, provided
# that the DPORT column is non-empty. This causes the rule to match when
# either the source port or the destination port in a packet matches one of
# the ports specified in DEST PORTS(S). Use of '=' requires multi-port match
# in your iptables and kernel.
#
# This column was formerly labelled SOURCE PORT(S).
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT